sysctl -w net.ipv6.conf.all.forwarding=1


# Interface definitions
WAN_IF=eth1
LAN_IF=eth0
DMZ_IF=eth2
LAN_NET=2001:db8:1::/64
DMZ_NET=2001:db8:2::/64


# Delete the Ruleset
ip6tables -F
# Define a policy
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP


# Allow loopback communication
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT


# Enable stateful inspection
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


# Anti-spoofing
ip6tables -A INPUT ! -i lo -s ::1/128 -j DROP
ip6tables -A INPUT -i $WAN_IF -s FC00::/7 -j DROP
ip6tables -A FORWARD -s ::1/128 -j DROP
ip6tables -A FORWARD -i $WAN_IF -s FC00::/7 -j DROP


# Block tunnel prefixes
ip6tables -A INPUT -s 2002::/16 -j DROP
ip6tables -A INPUT -s 2001:0::/32 -j DROP
ip6tables -A FORWARD -s 2002::/16 -jDROP
ip6tables -A FORWARD -s 2001:0::/32 -j DROP


# Block IPv6 in IPv4
iptables -A INPUT -p 41 -j DROP
iptables -A FORWARD -p 41 -j DROP


# Administration
ip6tables -A INPUT -i $LAN_IF -s $LAN_NET -p tcp -m multiport --dport 22,80,443 -j ACCEPT